diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2008-06-04 18:10:09 +0200 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2008-06-04 18:10:09 +0200 |
commit | e0f7b87227c046458ba3d1449eb65f2c71fed683 (patch) | |
tree | 0c5b72fd122ec66e2ba630bf9648cb1c79daeb36 | |
parent | Remove old non-safestack code. (diff) | |
download | openssl-e0f7b87227c046458ba3d1449eb65f2c71fed683.tar.xz openssl-e0f7b87227c046458ba3d1449eb65f2c71fed683.zip |
Add support for Windoes dialog box based certificate selection.
-rw-r--r-- | engines/e_capi.c | 92 | ||||
-rw-r--r-- | engines/e_capi_err.c | 5 | ||||
-rw-r--r-- | engines/e_capi_err.h | 3 |
3 files changed, 93 insertions, 7 deletions
diff --git a/engines/e_capi.c b/engines/e_capi.c index f03d9c7c8a..76b05b76ab 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -92,6 +92,7 @@ static int capi_list_providers(CAPI_CTX *ctx, BIO *out); static int capi_list_containers(CAPI_CTX *ctx, BIO *out); int capi_list_certs(CAPI_CTX *ctx, BIO *out, char *storename); void capi_free_key(CAPI_KEY *key); +static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs); static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE hstore); @@ -423,7 +424,7 @@ static int capi_finish(ENGINE *e) struct CAPI_KEY_st { /* Associated certificate context (if any) */ - PCERT_CONTEXT pcert; + PCCERT_CONTEXT pcert; HCRYPTPROV hprov; HCRYPTKEY key; DWORD keyspec; @@ -1495,11 +1496,7 @@ static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x) return 0; } -static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) - { -fprintf(stderr, "%d certificates\n", sk_X509_num(certs)); - return 0; - } + static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey, @@ -1548,6 +1545,7 @@ static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, * we can retrieve the key later. */ excert = CertDuplicateCertificateContext(cert); + key->pcert = excert; X509_set_ex_data(x, cert_capi_idx, key); if (!certs) @@ -1562,6 +1560,8 @@ static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, if (cert) CertFreeCertificateContext(cert); + if (hstore) + CertCloseStore(hstore, 0); if (!certs) return 0; @@ -1601,5 +1601,85 @@ static int capi_load_ssl_client_cert(ENGINE *e, SSL *ssl, } +#ifndef OPENSSL_CAPIENG_DIALOG + +/* Simple client cert selection function: always select first */ + +static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) + { + return 0; + } + +#else + +/* More complex cert selection function, using standard function + * CryptUIDlgSelectCertificateFromStore() to produce a dialog box. + */ + +#include <cryptuiapi.h> + +static int client_cert_select(ENGINE *e, SSL *ssl, STACK_OF(X509) *certs) + { + X509 *x; + HCERTSTORE dstore; + PCCERT_CONTEXT cert; + CAPI_CTX *ctx; + CAPI_KEY *key; + int i, idx = -1; + ctx = ENGINE_get_ex_data(e, capi_idx); + /* Create an in memory store of certificates */ + dstore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, + CERT_STORE_CREATE_NEW_FLAG, NULL); + if (!dstore) + { + CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_CREATING_STORE); + capi_addlasterror(); + goto err; + } + /* Add all certificates to store */ + for(i = 0; i < sk_X509_num(certs); i++) + { + x = sk_X509_value(certs, i); + key = X509_get_ex_data(x, cert_capi_idx); + + if (!CertAddCertificateContextToStore(dstore, key->pcert, + CERT_STORE_ADD_NEW, NULL)) + { + CAPIerr(CAPI_F_CLIENT_CERT_SELECT, CAPI_R_ERROR_ADDING_CERT); + capi_addlasterror(); + goto err; + } + + } + /* Call dialog to select one */ + cert = CryptUIDlgSelectCertificateFromStore(dstore, NULL,NULL, NULL, + 0, 0, NULL); + + /* Find matching cert from list */ + if (cert) + { + for(i = 0; i < sk_X509_num(certs); i++) + { + x = sk_X509_value(certs, i); + key = X509_get_ex_data(x, cert_capi_idx); + if (CertCompareCertificate( + X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, + cert->pCertInfo, + key->pcert->pCertInfo)) + { + idx = i; + break; + } + } + } + + err: + if (dstore) + CertCloseStore(dstore, 0); + return idx; + + } +#endif + #endif #endif diff --git a/engines/e_capi_err.c b/engines/e_capi_err.c index 372cfacfb7..64d7f7237b 100644 --- a/engines/e_capi_err.c +++ b/engines/e_capi_err.c @@ -1,6 +1,6 @@ /* e_capi_err.c */ /* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -86,6 +86,7 @@ static ERR_STRING_DATA CAPI_str_functs[]= {ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_DEC), "CAPI_RSA_PRIV_DEC"}, {ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_ENC), "CAPI_RSA_PRIV_ENC"}, {ERR_FUNC(CAPI_F_CAPI_RSA_SIGN), "CAPI_RSA_SIGN"}, +{ERR_FUNC(CAPI_F_CLIENT_CERT_SELECT), "CLIENT_CERT_SELECT"}, {ERR_FUNC(CAPI_F_WIDE_TO_ASC), "WIDE_TO_ASC"}, {0,NULL} }; @@ -101,6 +102,8 @@ static ERR_STRING_DATA CAPI_str_reasons[]= {ERR_REASON(CAPI_R_DECRYPT_ERROR) ,"decrypt error"}, {ERR_REASON(CAPI_R_ENGINE_NOT_INITIALIZED),"engine not initialized"}, {ERR_REASON(CAPI_R_ENUMCONTAINERS_ERROR) ,"enumcontainers error"}, +{ERR_REASON(CAPI_R_ERROR_ADDING_CERT) ,"error adding cert"}, +{ERR_REASON(CAPI_R_ERROR_CREATING_STORE) ,"error creating store"}, {ERR_REASON(CAPI_R_ERROR_GETTING_FRIENDLY_NAME),"error getting friendly name"}, {ERR_REASON(CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO),"error getting key provider info"}, {ERR_REASON(CAPI_R_ERROR_OPENING_STORE) ,"error opening store"}, diff --git a/engines/e_capi_err.h b/engines/e_capi_err.h index e59c1dec6a..c8cf4671ee 100644 --- a/engines/e_capi_err.h +++ b/engines/e_capi_err.h @@ -83,6 +83,7 @@ static void ERR_CAPI_error(int function, int reason, char *file, int line); #define CAPI_F_CAPI_RSA_PRIV_DEC 110 #define CAPI_F_CAPI_RSA_PRIV_ENC 111 #define CAPI_F_CAPI_RSA_SIGN 112 +#define CAPI_F_CLIENT_CERT_SELECT 116 #define CAPI_F_WIDE_TO_ASC 113 /* Reason codes. */ @@ -95,6 +96,8 @@ static void ERR_CAPI_error(int function, int reason, char *file, int line); #define CAPI_R_DECRYPT_ERROR 105 #define CAPI_R_ENGINE_NOT_INITIALIZED 106 #define CAPI_R_ENUMCONTAINERS_ERROR 107 +#define CAPI_R_ERROR_ADDING_CERT 125 +#define CAPI_R_ERROR_CREATING_STORE 126 #define CAPI_R_ERROR_GETTING_FRIENDLY_NAME 108 #define CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO 109 #define CAPI_R_ERROR_OPENING_STORE 110 |